Use of insecure channel - Source code - PHP

Use of insecure channel - Source code - PHP

Need

Secure transmission of customer information

Context

  • Requirement of PHP 7.0 or higher for running the application
  • Usage of Guzzle for making HTTP requests in PHP

Description

Non compliant code

        public function sendCustomerData(Request $request)
{
    $customerData = $request->all();
    
    $client = new \\GuzzleHttp\\Client();
    $res = $client->request('POST', 'http://example.com/api/customer', [
        'form_params' => $customerData
    ]);
    
    return $res->getBody();
}

The above code is a function in Laravel that sends customer data to a remote server using the Guzzle HTTP client. The vulnerability lies in the fact that the data is sent over an insecure HTTP channel instead of a secure HTTPS channel.

The line of code that highlights this vulnerability is:

                $res = $client->request('POST', 'http://example.com/api/customer', [
    'form_params' => $customerData
]);


In this line, the HTTP POST request is made to the URL http://example.com/api/customer. This URL uses the insecure HTTP protocol. Any data sent to this URL is not encrypted and can be intercepted by malicious actors.

The data being sent in this case is customer data, which might include sensitive information such as names, addresses, and credit card numbers. If this data is intercepted, it could lead to serious breaches of privacy and security.

In conclusion, the insecure channel vulnerability is present in the function because it sends sensitive customer data over an insecure HTTP connection.

Steps

  • Switch to a secure HTTPS channel instead of HTTP for data transmission.
  • Use SSL/TLS for encrypting the data during transmission.
  • Validate the SSL/TLS certificates to ensure the authenticity of the server.
  • Ensure that the server supports strong ciphers and protocols.
  • Consider using a VPN or other secure network tunnel if necessary.

Compliant code

        public function sendCustomerData(Request $request)
{
    $customerData = $request->all();
    
    $client = new \\GuzzleHttp\\Client(['verify' => true]);
    $res = $client->request('POST', 'https://example.com/api/customer', [
        'form_params' => $customerData,
        'headers' => [
            'Content-Type' => 'application/x-www-form-urlencoded',
        ],
        'curl' => [
            CURLOPT_SSL_VERIFYPEER => true,
            CURLOPT_SSL_VERIFYHOST => 2,
        ],
    ]);
    
    return $res->getBody();
}

The updated code now uses HTTPS instead of HTTP for data transmission, which encrypts the data during transmission. The GuzzleHttp client is configured to verify the SSL certificate of the server ( 'verify' => true). This ensures the authenticity of the server and prevents man-in-the-middle attacks.

The CURLOPT_SSL_VERIFYPEER option is set to true to check the existence of a common name in the SSL peer certificate. The CURLOPT_SSL_VERIFYHOST option is set to 2 to check the existence of a common name and also verify that it matches the hostname provided.

The 'Content-Type' header is set to 'application/x-www-form-urlencoded' which is the standard content type for form data.

This code ensures that the customer data is transmitted over a secure channel and that the server's SSL certificate is valid. If the server's SSL certificate is not valid, the GuzzleHttp client will throw an exception and the data will not be sent.

References